Services Scan Support

cli/docs/flags.go

@@ -123,6 +123,7 @@ const (
 	Licenses            = "licenses"
 	Sbom                = "sbom"
 	Snippet             = "snippet"
+	Services            = "services-scan"
 	Fail                = "fail"
 	ExtendedTable       = "extended-table"
 	MinSeverity         = "min-severity"
@@ -202,7 +203,7 @@ var commandFlags = map[string][]string{
 		binarySca, binarySecrets, binaryWithoutCA, SecretValidation, OutputDir, AnalyzerManagerCustomPath,
 	},
 	Audit: {
-		Url, XrayUrl, user, password, accessToken, ServerId, InsecureTls, scanProjectKey, Watches, RepoPath, Snippet, Sbom, Licenses, OutputFormat, ExcludeTestDeps,
+		Url, XrayUrl, user, password, accessToken, ServerId, InsecureTls, scanProjectKey, Watches, RepoPath, Snippet, Services, Sbom, Licenses, OutputFormat, ExcludeTestDeps,
 		useWrapperAudit, DepType, RequirementsFile, Fail, ExtendedTable, WorkingDirs, ExclusionsAudit, Mvn, Gradle, Npm,
 		Pnpm, Yarn, Go, Swift, Cocoapods, Nuget, Pip, Pipenv, Poetry, MinSeverity, FixableOnly, ThirdPartyContextualAnalysis, Threads,
 		auditSca, auditIac, auditSast, auditSecrets, auditWithoutCA, SecretValidation, ScanVuln, OutputDir, SkipAutoInstall, AllowPartialResults, MaxTreeDepth,
@@ -215,7 +216,7 @@ var commandFlags = map[string][]string{
 		// Connection params
 		Url, XrayUrl, user, password, accessToken, ServerId, InsecureTls,
 		// Violations params
-		scanProjectKey, Watches, Snippet, ScanVuln, Fail,
+		scanProjectKey, Watches, Snippet, Services, ScanVuln, Fail,
 		// Scan params
 		Threads, ExclusionsAudit,
 		auditSca, auditIac, auditSast, auditSecrets, auditWithoutCA, SecretValidation, Sbom,
@@ -283,6 +284,7 @@ var flagsMap = map[string]components.Flag{
 	Watches:          components.NewStringFlag(Watches, "Comma-separated list of Xray watches to determine violations. Supported violations are CVEs, operational risk, and Licenses. Incompatible with --project and --repo-path."),
 	RepoPath:         components.NewStringFlag(RepoPath, "Artifactory repository path, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities."),
 	Snippet:          components.NewBoolFlag(Snippet, "Set to true if you'd like to enables snippet-level detection to identify copied code from third-party components and surface related license violations.", components.SetHiddenBoolFlag()),
+	Services:         components.NewBoolFlag(Services, "Set to true to enable services detection.", components.SetHiddenBoolFlag()),
 	Licenses:         components.NewBoolFlag(Licenses, "Set if you'd also like the list of licenses to be displayed."),
 	Sbom:             components.NewBoolFlag(Sbom, "Set if you'd like all the SBOM (Software Bill of Materials) components to be displayed and not only the affected. Ignored if provided 'format' is not 'table' or 'cyclonedx'."),
 	OutputFormat: components.NewStringFlag(

cli/gitcommands.go

@@ -98,12 +98,17 @@ func GitAuditCmd(c *components.Context) error {
 	if err != nil {
 		return err
 	}
+	includeServicesDetection, err := validateServicesDetection(c)
+	if err != nil {
+		return err
+	}
 	gitAuditCmd.SetSbomGenerator(sbomGenerator).SetScaScanStrategy(scaScanStrategy)
 	gitAuditCmd.SetViolationGenerator(violationGenerator)
 	gitAuditCmd.SetUploadCdxResults(uploadResults).SetRtResultRepository(c.GetStringFlagValue(flags.UploadRtRepoPath))
 	gitAuditCmd.SetCustomBomGenBinaryPath(c.GetStringFlagValue(flags.XrayLibPluginBinaryCustomPath))
 	gitAuditCmd.SetCustomAnalyzerManagerBinaryPath(c.GetStringFlagValue(flags.AnalyzerManagerCustomPath))
 	gitAuditCmd.SetIncludeSnippetDetection(includeSnippetDetection)
+	gitAuditCmd.SetIncludeServicesDetection(includeServicesDetection)
 	// Run the command with progress bar if needed, Reporting error if Xsc service is enabled
 	err = reportErrorIfExists(xrayVersion, xscVersion, serverDetails, gitAuditCmd.GetProjectKey(), progressbar.ExecWithProgress(gitAuditCmd))
 	return err

cli/scancommands.go

@@ -555,6 +555,10 @@ func CreateAuditCmd(c *components.Context) (string, string, *coreConfig.ServerDe
 	if err != nil {
 		return "", "", nil, nil, err
 	}
+	includeServicesDetection, err := validateServicesDetection(c)
+	if err != nil {
+		return "", "", nil, nil, err
+	}
 	auditCmd.SetBomGenerator(sbomGenerator).SetCustomBomGenBinaryPath(c.GetStringFlagValue(flags.XrayLibPluginBinaryCustomPath))
 	auditCmd.SetScaScanStrategy(scaScanStrategy)
 	auditCmd.SetViolationGenerator(violationGenerator)
@@ -565,6 +569,7 @@ func CreateAuditCmd(c *components.Context) (string, string, *coreConfig.ServerDe
 		SetIncludeLicenses(c.GetBoolFlagValue(flags.Licenses)).
 		SetIncludeSbom(shouldIncludeSbom(c, format)).
 		SetIncludeSnippetDetection(includeSnippetDetection).
+		SetIncludeServicesDetection(includeServicesDetection).
 		SetFail(c.GetBoolFlagValue(flags.Fail)).
 		SetPrintExtendedTable(c.GetBoolFlagValue(flags.ExtendedTable)).
 		SetMinSeverityFilter(minSeverity).

cli/utils.go

@@ -155,6 +155,17 @@ func validateSnippetDetection(c *components.Context) (bool, error) {
 	return true, nil
 }
 
+func isServicesDetectionEnabled(c *components.Context) bool {
+	if !c.IsFlagSet(flags.Services) {
+		return false
+	}
+	return c.GetBoolFlagValue(flags.Services)
+}
+
+func validateServicesDetection(c *components.Context) (bool, error) {
+	return isServicesDetectionEnabled(c), nil
+}
+
 func getSubScansToPreform(c *components.Context) (subScans []utils.SubScanType, err error) {
 	if c.GetBoolFlagValue(flags.WithoutCA) && !c.GetBoolFlagValue(flags.Sca) {
 		// No CA flag provided but sca flag is not provided, error

commands/audit/audit.go

@@ -49,17 +49,18 @@ import (
 )
 
 type AuditCommand struct {
-	watches                 []string
-	gitRepoHttpsCloneUrl    string
-	projectKey              string
-	targetRepoPath          string
-	IncludeVulnerabilities  bool
-	IncludeLicenses         bool
-	IncludeSbom             bool
-	IncludeSnippetDetection bool
-	Fail                    bool
-	PrintExtendedTable      bool
-	Threads                 int
+	watches                  []string
+	gitRepoHttpsCloneUrl     string
+	projectKey               string
+	targetRepoPath           string
+	IncludeVulnerabilities   bool
+	IncludeLicenses          bool
+	IncludeSbom              bool
+	IncludeSnippetDetection  bool
+	IncludeServicesDetection bool
+	Fail                     bool
+	PrintExtendedTable       bool
+	Threads                  int
 	AuditParams
 }
 
@@ -111,6 +112,11 @@ func (auditCmd *AuditCommand) SetIncludeSnippetDetection(include bool) *AuditCom
 	return auditCmd
 }
 
+func (auditCmd *AuditCommand) SetIncludeServicesDetection(include bool) *AuditCommand {
+	auditCmd.IncludeServicesDetection = include
+	return auditCmd
+}
+
 func (auditCmd *AuditCommand) SetFail(fail bool) *AuditCommand {
 	auditCmd.Fail = fail
 	return auditCmd
@@ -127,15 +133,16 @@ func (auditCmd *AuditCommand) SetThreads(threads int) *AuditCommand {
 }
 
 // Create a results context based on the provided parameters. resolves conflicts between the parameters based on the retrieved platform watches.
-func CreateAuditResultsContext(serverDetails *config.ServerDetails, xrayVersion string, watches []string, artifactoryRepoPath, projectKey, gitRepoHttpsCloneUrl string, includeVulnerabilities, includeLicenses, includeSbom, includeSnippetDetection bool) (context results.ResultContext) {
+func CreateAuditResultsContext(serverDetails *config.ServerDetails, xrayVersion string, watches []string, artifactoryRepoPath, projectKey, gitRepoHttpsCloneUrl string, includeVulnerabilities, includeLicenses, includeSbom, includeSnippetDetection, includeServicesDetection bool) (context results.ResultContext) {
 	context = results.ResultContext{
-		RepoPath:                artifactoryRepoPath,
-		Watches:                 watches,
-		ProjectKey:              projectKey,
-		IncludeVulnerabilities:  shouldIncludeVulnerabilities(includeVulnerabilities, watches, artifactoryRepoPath, projectKey, ""),
-		IncludeLicenses:         includeLicenses,
-		IncludeSbom:             includeSbom,
-		IncludeSnippetDetection: includeSnippetDetection,
+		RepoPath:                 artifactoryRepoPath,
+		Watches:                  watches,
+		ProjectKey:               projectKey,
+		IncludeVulnerabilities:   shouldIncludeVulnerabilities(includeVulnerabilities, watches, artifactoryRepoPath, projectKey, ""),
+		IncludeLicenses:          includeLicenses,
+		IncludeSbom:              includeSbom,
+		IncludeSnippetDetection:  includeSnippetDetection,
+		IncludeServicesDetection: includeServicesDetection,
 	}
 	if err := clientutils.ValidateMinimumVersion(clientutils.Xray, xrayVersion, services.MinXrayVersionGitRepoKey); err != nil {
 		// Git repo key is not supported by the Xray version.
@@ -187,6 +194,29 @@ func shouldIncludeSnippetDetection(params *AuditParams) bool {
 	return strings.ToLower(os.Getenv(plugin.SnippetDetectionEnvVariable)) == "true"
 }
 
+func configProfileEnablesServicesScan(profile *xscservices.ConfigProfile) bool {
+	if profile == nil {
+		return false
+	}
+	for _, module := range profile.Modules {
+		if module.ScanConfig.ServicesScannerConfig.EnableServicesScan {
+			return true
+		}
+	}
+	return false
+}
+
+func shouldIncludeServicesDetection(params *AuditParams) bool {
+	if profile := params.GetConfigProfile(); profile != nil {
+		for _, module := range profile.Modules {
+			if module.ScanConfig.ServicesScannerConfig.EnableServicesScan {
+				return true
+			}
+		}
+	}
+	return params.resultsContext.IncludeServicesDetection
+}
+
 func logScanPaths(workingDirs []string, isRecursiveScan bool) {
 	if len(workingDirs) == 0 {
 		return
@@ -263,6 +293,7 @@ func (auditCmd *AuditCommand) Run() (err error) {
 			auditCmd.IncludeLicenses,
 			auditCmd.IncludeSbom,
 			auditCmd.IncludeSnippetDetection,
+			auditCmd.IncludeServicesDetection,
 		)).
 		SetGitContext(auditCmd.GitContext()).
 		SetThirdPartyApplicabilityScan(auditCmd.thirdPartyApplicabilityScan).
@@ -444,6 +475,16 @@ func initAuditCmdResults(params *AuditParams) (cmdResults *results.SecurityComma
 		}
 		cmdResults.SetEntitledForSnippetDetection(entitledForSnippetDetection)
 	}
+	if shouldIncludeServicesDetection(params) {
+		entitledForServicesDetection, err := isEntitledForServicesDetection(entitledForJas, xrayManager, params)
+		if err != nil {
+			return cmdResults.AddGeneralError(err, false)
+		}
+		if !entitledForServicesDetection {
+			return cmdResults.AddGeneralError(fmt.Errorf("services detection is requested but the JFrog instance is not entitled for it"), false)
+		}
+		cmdResults.SetEntitledForServicesDetection(entitledForServicesDetection)
+	}
 	return
 }
 
@@ -463,6 +504,13 @@ func isEntitledForSnippetDetection(isEntitledForJas bool, xrayManager *xray.Xray
 	return xrayutils.IsEntitled(xrayManager, auditParams.GetXrayVersion(), xrayplugin.SnippetDetectionFeatureId)
 }
 
+func isEntitledForServicesDetection(isEntitledForJas bool, xrayManager *xray.XrayServicesManager, auditParams *AuditParams) (entitled bool, err error) {
+	if !isEntitledForJas {
+		return false, nil
+	}
+	return xrayutils.IsEntitled(xrayManager, auditParams.GetXrayVersion(), xrayplugin.ServicesDetectionFeatureId)
+}
+
 func populateScanTargets(cmdResults *results.SecurityCommandResults, params *AuditParams) {
 	// Populate the scan targets based on the provided parameters.
 	detectScanTargets(cmdResults, params)
@@ -485,6 +533,7 @@ func populateScanTargets(cmdResults *results.SecurityCommandResults, params *Aud
 		bom.GenerateSbomForTarget(params.BomGenerator().WithOptions(
 			buildinfo.WithDescriptors(targetResult.GetDescriptors()),
 			xrayplugin.WithSnippetDetection(shouldIncludeSnippetDetection(params)),
+			xrayplugin.WithServicesDetection(shouldIncludeServicesDetection(params)),
 		),
 			bom.SbomGeneratorParams{
 				Target:               targetResult,
@@ -503,6 +552,9 @@ func shouldGenerateSbom(params *AuditParams) bool {
 	if params.resultsContext.IncludeSbom {
 		return true
 	}
+	if shouldIncludeServicesDetection(params) {
+		return true
+	}
 	scansToPerform := params.ScansToPerform()
 	if slices.Contains(scansToPerform, utils.ScaScan) {
 		return true

commands/audit/audit_test.go

@@ -309,6 +309,32 @@ func TestShouldGenerateSbom(t *testing.T) {
 			}(),
 			expectSbom: false,
 		},
+		{
+			name: "services detection only",
+			params: func() *AuditParams {
+				params := NewAuditParams().SetResultsContext(results.ResultContext{IncludeServicesDetection: true})
+				params.SetScansToPerform([]utils.SubScanType{utils.SastScan})
+				return params
+			}(),
+			expectSbom: true,
+		},
+		{
+			name: "services enabled in config profile without sca",
+			params: func() *AuditParams {
+				params := NewAuditParams().SetResultsContext(results.ResultContext{})
+				params.SetScansToPerform([]utils.SubScanType{utils.SastScan})
+				params.SetConfigProfile(&services.ConfigProfile{
+					Modules: []services.Module{{
+						ScanConfig: services.ScanConfig{
+							ScaScannerConfig:      services.ScaScannerConfig{EnableScaScan: false},
+							ServicesScannerConfig: services.ServicesScannerConfig{EnableServicesScan: true},
+						},
+					}},
+				})
+				return params
+			}(),
+			expectSbom: true,
+		},
 	}
 
 	for _, testCase := range testCases {
@@ -939,23 +965,25 @@ func TestCreateResultsContext(t *testing.T) {
 		testCases := []struct {
 			name string
 
-			artifactoryRepoPath     string
-			httpCloneUrl            string
-			watches                 []string
-			jfrogProjectKey         string
-			includeVulnerabilities  bool
-			includeLicenses         bool
-			includeSbom             bool
-			includeSnippetDetection bool
+			artifactoryRepoPath      string
+			httpCloneUrl             string
+			watches                  []string
+			jfrogProjectKey          string
+			includeVulnerabilities   bool
+			includeLicenses          bool
+			includeSbom              bool
+			includeSnippetDetection  bool
+			includeServicesDetection bool
 
-			expectedArtifactoryRepoPath     string
-			expectedHttpCloneUrl            string
-			expectedWatches                 []string
-			expectedJfrogProjectKey         string
-			expectedIncludeVulnerabilities  bool
-			expectedIncludeLicenses         bool
-			expectedIncludeSbom             bool
-			expectedIncludeSnippetDetection bool
+			expectedArtifactoryRepoPath      string
+			expectedHttpCloneUrl             string
+			expectedWatches                  []string
+			expectedJfrogProjectKey          string
+			expectedIncludeVulnerabilities   bool
+			expectedIncludeLicenses          bool
+			expectedIncludeSbom              bool
+			expectedIncludeSnippetDetection  bool
+			expectedIncludeServicesDetection bool
 		}{
 			{
 				name:            "Only Vulnerabilities",
@@ -995,6 +1023,12 @@ func TestCreateResultsContext(t *testing.T) {
 				expectedIncludeVulnerabilities:  true,
 				expectedIncludeSnippetDetection: true,
 			},
+			{
+				name:                             "Services Detection - no violation context",
+				includeServicesDetection:         true,
+				expectedIncludeVulnerabilities:   true,
+				expectedIncludeServicesDetection: true,
+			},
 			{
 				name:                    "All",
 				httpCloneUrl:            validations.TestMockGitInfo.Source.GitRepoHttpsCloneUrl,
@@ -1018,7 +1052,7 @@ func TestCreateResultsContext(t *testing.T) {
 			t.Run(fmt.Sprintf("%s - %s", test.name, testCase.name), func(t *testing.T) {
 				mockServer, serverDetails, _ := validations.XrayServer(t, validations.MockServerParams{XrayVersion: test.xrayVersion, ReturnMockPlatformWatches: test.expectedPlatformWatches})
 				defer mockServer.Close()
-				context := CreateAuditResultsContext(serverDetails, test.xrayVersion, testCase.watches, testCase.artifactoryRepoPath, testCase.jfrogProjectKey, testCase.httpCloneUrl, testCase.includeVulnerabilities, testCase.includeLicenses, testCase.includeSbom, testCase.includeSnippetDetection)
+				context := CreateAuditResultsContext(serverDetails, test.xrayVersion, testCase.watches, testCase.artifactoryRepoPath, testCase.jfrogProjectKey, testCase.httpCloneUrl, testCase.includeVulnerabilities, testCase.includeLicenses, testCase.includeSbom, testCase.includeSnippetDetection, testCase.includeServicesDetection)
 				assert.Equal(t, testCase.expectedArtifactoryRepoPath, context.RepoPath)
 				assert.Equal(t, testCase.expectedHttpCloneUrl, context.GitRepoHttpsCloneUrl)
 				assert.Equal(t, testCase.expectedWatches, context.Watches)
@@ -1027,6 +1061,7 @@ func TestCreateResultsContext(t *testing.T) {
 				assert.Equal(t, testCase.expectedIncludeLicenses, context.IncludeLicenses)
 				assert.Equal(t, testCase.expectedIncludeSbom, context.IncludeSbom)
 				assert.Equal(t, testCase.expectedIncludeSnippetDetection, context.IncludeSnippetDetection)
+				assert.Equal(t, testCase.expectedIncludeServicesDetection, context.IncludeServicesDetection)
 			})
 		}
 	}

commands/git/audit/gitaudit.go

@@ -90,6 +90,7 @@ func toAuditParams(params GitAuditParams) *sourceAudit.AuditParams {
 		params.resultsContext.IncludeLicenses,
 		params.includeSbom,
 		params.resultsContext.IncludeSnippetDetection,
+		params.resultsContext.IncludeServicesDetection,
 	)
 	auditParams.SetResultsContext(resultContext)
 	log.Debug(fmt.Sprintf("Results context: %+v", resultContext))

commands/git/audit/gitauditparams.go

@@ -89,6 +89,11 @@ func (gap *GitAuditParams) SetIncludeSnippetDetection(includeSnippetDetection bo
 	return gap
 }
 
+func (gap *GitAuditParams) SetIncludeServicesDetection(includeServicesDetection bool) *GitAuditParams {
+	gap.resultsContext.IncludeServicesDetection = includeServicesDetection
+	return gap
+}
+
 func (gap *GitAuditParams) SetScansToPerform(scansToPerform []utils.SubScanType) *GitAuditParams {
 	gap.scansToPerform = scansToPerform
 	return gap